The present invention relates to a countermeasure method in a microcircuit.
It also relates to a microcircuit implementing the method and portable media of the smart card type having such a microcircuit.
It should be noted that a microcircuit for portable devices such as smart cards has an architecture formed around a processor (or microprocessor) comprising a controller and an arithmetic and logic unit (ALU) connected by a bus to memories, including a non-volatile program memory which contains the sensitive data item or items (secret keys) of a cryptography algorithm for example. The controller manages the input/output signals I/O (instructions, addresses, data) and the arithmetic and logic unit performs arithmetic operations on the data on command of the controller.
Such microcircuits are used in smart cards for certain applications, for example applications for accessing certain data banks, banking applications, remote charging applications, for example for television, petrol dispensing or passing through motorway tolls.
The invention is applicable most particularly to the security of sensitive data in media such as smart cards. It concerns secret data manipulated by the processor of the microcircuit and liable to pass over the bus connecting the memories to this processor.
The invention is applicable to the security of secret information such as the secret code of the user of a smart card or the electronic keys used in cryptographic calculation operations for the encryption and/or authentication and/or electronic signing of messages.
The invention is applicable in particular in the case of the implementation of secret key cryptography algorithms or of so-called public key algorithms. Such algorithms are used in applications where the access to services or to data is strictly controlled.
Amongst the secret key cryptography algorithms there can be cited the DES (Data Encryption Standard) algorithm. Other secret key algorithms exist, like the RC5 algorithm or the COMP128 algorithm. This list is of course not exhaustive.
Amongst the public key cryptography algorithms there can be cited RSA (Rivest Shamir and Adelman), El Gamal, Schnorr, Fiat Shamir, or DSA or DSS.
Briefly and in general terms, the aim of these algorithms is to perform cryptographic calculations from a host system (server, cash dispenser, etc.) and the secret key or public and secret keys contained in the card, and to supply in return to the host system an encrypted message or to allow an authentication of the microcircuit (of the card), or to sign messages.
The entire security of these cryptography algorithms relies on the fact of being able to keep secret the data which must remain so. In the case of cryptographic algorithms, the secret key or keys cannot be deduced solely from knowledge of the information exchanged between the card and the outside world.
However, it has appeared that from external attacks, based on current consumptions or a differential current consumption analysis when the cryptography processor or the processor of a smart card performs calculation operations entailing the manipulation of secret data, such manipulations allow ill-intentioned third parties to find the secret key contained in this card by carrying out attacks referred to as DPA (Differential Power Analysis) attacks.
The principle of these DPA attacks relies on the fact that the current consumption of the processor executing instructions varies according to the data manipulated.
In particular, when an instruction executed by the processor requires manipulation of a data item bit by bit, there are two different current profiles depending on whether this bit is equal to “1” or “0”. Typically, if the processor is manipulating a “0”, there is at that execution instant a first amplitude of the consumed current and, if the processor is manipulating a “1”, there is a second amplitude of the consumed current, different from the first.
Thus the DPA attack exploits the difference in the current consumption profile in the card during execution of an instruction according to the value of the bit manipulated. Simplified, the course of a DPA attack consists in identifying one or more particular periods in the progression of the algorithm comprising the execution of at least one instruction manipulating data items bit by bit; of plotting a very large number N of current consumption curves during this or these periods, one curve per different message to which the algorithm is applied; of predicting, for each curve, the value taken by one bit of the data item for an assumption on a subkey, that is to say on at least part of the secret key, which allows the prediction to be made; and of sorting the curves according to the corresponding Boolean selection function: a first bundle of curves is obtained for which the prediction is equal to “1” and a second bundle of curves is obtained for which the prediction is equal to “0”. By performing a differential analysis of the mean current consumption between the two bundles of curves obtained, an information signal DPA(t) is obtained.
If the subkey assumption is not true, each bundle in actual fact comprises as many curves corresponding to manipulation of a “1” as curves manipulating a “0”. The two bundles are therefore equivalent in terms of current consumption and the information signal is substantially zero. If the subkey assumption is true, one bundle actually comprises the curves corresponding to manipulation of a “1” and the other bundle actually comprises the curves corresponding to manipulation of a “0”: the information signal DPA(t) obtained is not zero: it comprises consumption peaks corresponding to manipulation by the processor of the bit on which the sort was based. These peaks have an amplitude corresponding to the difference in consumption by the processor depending on whether it is manipulating a “1” or a “0”. Thus, gradually, it is possible to discover all or part of the secret key contained in a microcircuit.
There are numerous algorithms for the execution of which the processor or an associated calculation unit (cryptoprocessor) has to perform bit-by-bit data manipulations at certain moments.
This is the case in particular, as has been said, for cryptographic algorithms. By analysing the current consumption during the execution of these bit-by-bit manipulations, it is possible to find the value of at least certain bits of the manipulated data item. The knowledge of this data item can provide information on intermediate results obtained during execution of the cryptography algorithm, which in their turn can make it possible to find at least some of the bits of the secret key used.
The applicant realised that such an attack can be carried out from observing the current consumption variations related to transitions of binary values on the microcircuit bus. This is because the applicant observed that the change of state between two bits of the same significance from one data item to another would cause a higher consumption than in the case where there is no change of state. Thus, transitions leave a signature for the data which flow on the bus. This situation is of course very prejudicial where these data are secret data.